US9213849B2 - Hierarchical access control administration preview - Google Patents
Hierarchical access control administration preview Download PDFInfo
- Publication number
- US9213849B2 US9213849B2 US12/200,738 US20073808A US9213849B2 US 9213849 B2 US9213849 B2 US 9213849B2 US 20073808 A US20073808 A US 20073808A US 9213849 B2 US9213849 B2 US 9213849B2
- Authority
- US
- United States
- Prior art keywords
- access rights
- content
- rights
- selected content
- hierarchically organized
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related, expires
Links
- 238000000034 method Methods 0.000 claims abstract description 19
- 238000009877 rendering Methods 0.000 claims abstract description 18
- 238000004590 computer program Methods 0.000 claims abstract description 12
- 230000015654 memory Effects 0.000 claims description 9
- 238000012545 processing Methods 0.000 claims description 8
- 238000012552 review Methods 0.000 claims description 7
- 230000003287 optical effect Effects 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012800 visualization Methods 0.000 description 2
- 230000007812 deficiency Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Definitions
- the present invention relates to the field of access control and rights management for electronic content and more particularly to visualization of access control rights for hierarchically organized content.
- a computer program accesses content, manipulates content, presents content and stores content.
- Much attention during the development of a computer program focuses on the efficient storage of content.
- substantially greater attention has been placed recently on access control to content accessible by multiple different end users.
- Access control refers to the restriction of access to content based upon a number of factors that may include the nature of the content sought for access, the identity of the user seeking access to the content, or the role of the user seeking access to the content.
- Early attempts at access control embedded the access control logic in direct connection with the program code providing access to content. Even for the most ordinary application, however, creating and maintaining a consistent access control scheme across a vast code base can be difficult and ill advised.
- it is preferred to define an entire data structure for permitting or restricting access to different content in a multi-user computing application such that every attempt to access content in a computing application can refer to a central access control list (ACL) in order to determine whether or not to grant the specified type of access to particular content in the computing application.
- ACL central access control list
- a hierarchically organized set of content can include a selection of nodes arranged hierarchically from a single root to many different leaves leaf via branches and sub-trees as it is well known in the art.
- the core concern is the determination of access rights for an authenticated user one node either expressly defined for the node, or implicitly defined (e.g. inherited) according to access rights afforded to the authenticated user in connection with a parent node.
- Administering access rights for hierarchically organized content is known to be error prone.
- typically an administrator of access control rights provides access rights for only a small subset of nodes representative of content in the hierarchy resulting in a sparsely populated hierarchy of access control rights.
- Nodes in the hierarchy that do not enjoy expressly assigned access control rights often inherit access control rights by implication of the rights expressly assigned to a parent node in the hierarchy. Identifying implied rights for a node in a view to the hierarchy can be challenging for a large hierarchy. Consequently, administrators frequently expressly assign access control rights to nodes in a hierarchy that conflict with the implicitly defined rights for the same node.
- Resolution rules generally are provided to resolve such conflicts; however, the resolution rules are not also visualized in the view to the hierarchy.
- the administrator of the access control rights to the hierarchy must rely upon deep knowledge of the resolution rules, in the absence of which the administrator has no remedy for visualizing the access control rights expressed in the view to the hierarchy.
- Embodiments of the present invention address deficiencies of the art in respect to visualizing access control rights for hierarchically organized content and provide a novel and non-obvious method, system and computer program product for hierarchical access control administration preview of access control rights for hierarchically organized content.
- a method for rendering a hierarchical access control administration preview of access control rights for hierarchically organized content can be provided.
- the method can include rendering a view of hierarchically organized content in connection with corresponding access rights and proposing explicitly assigned access rights for selected content in the hierarchically organized content.
- the method also can include re-rendering the view to reflect both the proposed explicitly assigned access rights for the selected content and also implicitly resulting assigned access rights for the children of the selected content.
- the method further can include applying the proposed explicitly assigned access rights responsive to a request to commit the proposed explicitly assigned access rights and otherwise discarding the proposed explicitly assigned access rights.
- the yet further can include displaying an indication of disabled access rights for selected content resulting from explicitly assigned access rights for a parent of the selected content conflicting with the disabled access rights.
- an access control data processing system can be configured for a hierarchical access control administration preview of access control rights for hierarchically organized content.
- the system can include a data store of hierarchically organized content, a host computing platform supporting a content management server providing multi-user access to the hierarchically organized content, and an access control module coupled to the content management server controlling access to the hierarchically organized content according to corresponding access rights.
- the system also can include administration preview logic coupled to the access control module.
- the logic can include program code enabled to render a view of the hierarchically organized content in connection with the corresponding access rights, to propose explicitly assigned access rights for selected content in the hierarchically organized content, and to re-render the view to reflect both the proposed explicitly assigned access rights for the selected content and also implicitly resulting assigned access rights for the children of the selected content.
- the access rights can include any one of grant review, grant read, deny access and deny review.
- FIG. 1 is a pictorial illustration of a hierarchical access control administration preview of access control rights for hierarchically organized content
- FIG. 2 is a schematic illustration of an access control data processing system configured for a hierarchical access control administration preview of access control rights for hierarchically organized content
- FIG. 3 is a flow chart illustrating a process for rendering a hierarchical access control administration preview of access control rights for hierarchically organized content.
- Embodiments of the present invention provide a method, system and computer program product for a hierarchical access control administration preview of access control rights for hierarchically organized content.
- different access rights for corresponding different hierarchically organized content can be rendered in connection with a view to the hierarchically organized content.
- both explicitly assigned access rights and also implicitly resulting access rights can be rendered.
- explicitly assigned access rights can be proposed through the view for content in the hierarchy.
- Implicitly resulting access rights for children of the content can be computed and the view can be re-rendered to include both the proposed explicitly assigned access rights and the implicitly resulting access rights for the children.
- the proposed explicitly assigned rights can be applied or discarded at the discretion of the end user.
- FIG. 1 pictorially shows a hierarchical access control administration preview of access control rights for hierarchically organized content.
- a hierarchical access control administration preview 180 can include a rendering of hierarchically organized content 100 .
- Access rights 110 can be explicitly assigned to content in the hierarchically organized content 100 and rendered therewith.
- the explicitly assigned access rights 110 can include by way of example, the right to read associated content, the right to review (e.g. edit) associated content, as well as the denial of access to associated content and the denial of review rights for associated content.
- Implicitly resulting access rights 120 also can be rendered distinctively to indicate the inherited implicit assignment of the implicitly resulting access rights 120 .
- an end user can select content in the hierarchically organized content 100 in order to propose an explicit assignment of access rights 130 .
- Implicitly resulting access rights 140 from the proposed explicit assignment of access rights 130 for child content of the selected content can be computed.
- the rendering of the hierarchically organized content 100 can be re-rendered or otherwise updated to reflect both the proposed explicit assignment of access rights 130 for the selected content and also the computed implicitly resulting access rights 140 for the child content of the selected content.
- the re-rendering can occur automatically or upon a manual selection of a refresh control 150 .
- the proposed explicit assignment of access rights 130 can be applied through a selection of a commit control 160 .
- the proposed explicit assignment of access rights 130 can be discarded through a selection of a cancel control 170 .
- an indication of what access rights are not permitted resulting from a conflicting assignment of access for parent content can be provided.
- a proposal of grant read or grant review access rights can be disabled.
- the administration of access rights for the hierarchically organized content 100 can be facilitated by a visualization of the impact of a proposed explicit assignment of access rights for parent content on implicitly resulting access rights of child content.
- FIG. 2 schematically depicts an access control data processing system configured for a hierarchical access control administration preview of access control rights for hierarchically organized content.
- the system can include a host computing platform 210 supporting the operating of a content management server 250 .
- the content management server 250 can be a multi-user computing application providing access to multiple different users to hierarchically organized content, for example different documents, stored in coupled data store of hierarchically organized content 260 .
- the content management server 250 can be configured for access by different users over computer communications network 230 . Specifically, different users can interact with the content management server 250 through individual content management clients 240 executing in client computing devices 220 .
- access control module 270 can be coupled to the content management server 250 through the host computing platform 210 .
- Access control module 270 can be configured manage access control in respect to access rights assigned to different content in the data store of hierarchically organized content 260 .
- administration preview logic 300 can be coupled to the access control module 270 .
- the administration preview logic 300 can be incorporated as part of the access control module 270 or the content management server 250 .
- the administration preview logic 300 can be incorporated as part of each content management client 240 .
- the administration preview logic 300 can include program code enabled to render different access rights for corresponding different hierarchically organized content in the data store of hierarchically organized content 260 in connection with a view to the hierarchically organized content.
- the program code further can be enabled to receive from an end user a proposal of explicitly assigned access rights through the view for content in the hierarchy.
- the program code yet further can be enabled to compute implicitly resulting access rights for children of the content and to re-render the view to include both proposed explicitly assigned access rights and the implicitly resulting access rights for the children. Finally, the program code can be enabled to apply or discard the proposed explicitly assigned rights at the discretion of the end user.
- FIG. 3 is a flow chart illustrating a process for rendering a hierarchical access control administration preview of access control rights for hierarchically organized content.
- hierarchically organized content can be loaded into memory and in block 320 , access rights for the hierarchically organized content can be retrieved.
- a tree view of the hierarchically organized content can be rendered along with assigned access rights.
- individual content can be selected in the hierarchically organized content.
- one or more explicitly access rights can be proposed for the individual content.
- implicitly resulting access rights for the children of the individual content can be computed and rendered in the tree view.
- decision block 370 if the proposed explicitly assigned access rights are determined to be acceptable, in block 290 the proposed explicitly assigned access rights can be applied to the selected content in block 390 and the tree view can be refreshed to reflect the application of the proposed explicitly assigned access rights in block 400 . Otherwise, in block 380 the proposed explicitly assigned access rights can be discarded.
- Embodiments of the invention can take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment containing both hardware and software elements.
- the invention is implemented in software, which includes but is not limited to firmware, resident software, microcode, and the like.
- the invention can take the form of a computer program product accessible from a computer-usable or computer-readable medium providing program code for use by or in connection with a computer or any instruction execution system.
- a computer-usable or computer readable storage medium can be any apparatus that can contain or store the program for use by or in connection with the instruction execution system, apparatus, or device.
- the storage medium can be an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system (or apparatus or device).
- Examples of a computer-readable storage medium include a semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disk and an optical disk.
- Current examples of optical disks include compact disk-read only memory (CD-ROM), compact disk-read/write (CD-R/W) and DVD.
- a data processing system suitable for storing and/or executing program code will include at least one processor coupled directly or indirectly to memory elements through a system bus.
- the memory elements can include local memory employed during actual execution of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during execution.
- I/O devices including but not limited to keyboards, displays, pointing devices, etc.
- Network adapters may also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks. Modems, cable modem and Ethernet cards are just a few of the currently available types of network adapters.
Abstract
Description
Claims (8)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/200,738 US9213849B2 (en) | 2008-08-28 | 2008-08-28 | Hierarchical access control administration preview |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/200,738 US9213849B2 (en) | 2008-08-28 | 2008-08-28 | Hierarchical access control administration preview |
Publications (2)
Publication Number | Publication Date |
---|---|
US20100058434A1 US20100058434A1 (en) | 2010-03-04 |
US9213849B2 true US9213849B2 (en) | 2015-12-15 |
Family
ID=41727300
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/200,738 Expired - Fee Related US9213849B2 (en) | 2008-08-28 | 2008-08-28 | Hierarchical access control administration preview |
Country Status (1)
Country | Link |
---|---|
US (1) | US9213849B2 (en) |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP2577446A4 (en) * | 2010-05-27 | 2014-04-02 | Varonis Systems Inc | Automation framework |
US9680839B2 (en) | 2011-01-27 | 2017-06-13 | Varonis Systems, Inc. | Access permissions management system and method |
WO2012101620A1 (en) * | 2011-01-27 | 2012-08-02 | Varonis Systems, Inc. | Access permissions management system and method |
US9430116B2 (en) * | 2013-02-12 | 2016-08-30 | International Business Machines Corporation | Visualization of runtime resource policy attachments and applied policy details |
CN104750700A (en) * | 2013-12-26 | 2015-07-01 | 珠海金山办公软件有限公司 | Document providing method and device |
US10809868B1 (en) * | 2014-12-22 | 2020-10-20 | EMC IP Holding Company LLC | Simplified feature management |
US11665204B2 (en) * | 2020-04-21 | 2023-05-30 | Kinaxis Inc. | Computer implemented method and apparatus for management of non-binary privileges in a structured user environment |
Citations (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5675782A (en) * | 1995-06-06 | 1997-10-07 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
US5761669A (en) * | 1995-06-06 | 1998-06-02 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
US20030220838A1 (en) * | 2002-03-01 | 2003-11-27 | Makoto Ishii | Cut-list creation system, center server, advertisement creation terminals, computer programs, storage media and cut-list creation method of center server |
US20040254884A1 (en) * | 2002-12-20 | 2004-12-16 | Sap Aktiengesellschaft | Content catalog and application designer framework |
US20060173999A1 (en) * | 2002-08-07 | 2006-08-03 | Rider Kenneth D | System and method for securing network resources |
US20060294578A1 (en) * | 2005-06-23 | 2006-12-28 | Microsoft Corporation | Unified authorization for heterogeneous applications |
US20060294051A1 (en) * | 2005-06-23 | 2006-12-28 | Microsoft Corporation | Uniform access to entities in registered data store services |
US20080098484A1 (en) * | 2006-10-24 | 2008-04-24 | Avatier Corporation | Self-service resource provisioning having collaborative compliance enforcement |
US20090007262A1 (en) * | 2007-06-29 | 2009-01-01 | Bea Systems, Inc. | Computer readable medium for resolving permission for role activation operators |
US20090119298A1 (en) * | 2007-11-06 | 2009-05-07 | Varonis Systems Inc. | Visualization of access permission status |
-
2008
- 2008-08-28 US US12/200,738 patent/US9213849B2/en not_active Expired - Fee Related
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5675782A (en) * | 1995-06-06 | 1997-10-07 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
US5761669A (en) * | 1995-06-06 | 1998-06-02 | Microsoft Corporation | Controlling access to objects on multiple operating systems |
US20030220838A1 (en) * | 2002-03-01 | 2003-11-27 | Makoto Ishii | Cut-list creation system, center server, advertisement creation terminals, computer programs, storage media and cut-list creation method of center server |
US20060173999A1 (en) * | 2002-08-07 | 2006-08-03 | Rider Kenneth D | System and method for securing network resources |
US7461158B2 (en) * | 2002-08-07 | 2008-12-02 | Intelliden, Inc. | System and method for controlling access rights to network resources |
US20090240822A1 (en) * | 2002-08-07 | 2009-09-24 | Rider Kenneth D | System and Method for Controlling Access Rights to Network Resources |
US20040254884A1 (en) * | 2002-12-20 | 2004-12-16 | Sap Aktiengesellschaft | Content catalog and application designer framework |
US20060294578A1 (en) * | 2005-06-23 | 2006-12-28 | Microsoft Corporation | Unified authorization for heterogeneous applications |
US20060294051A1 (en) * | 2005-06-23 | 2006-12-28 | Microsoft Corporation | Uniform access to entities in registered data store services |
US20080098484A1 (en) * | 2006-10-24 | 2008-04-24 | Avatier Corporation | Self-service resource provisioning having collaborative compliance enforcement |
US20090007262A1 (en) * | 2007-06-29 | 2009-01-01 | Bea Systems, Inc. | Computer readable medium for resolving permission for role activation operators |
US20090119298A1 (en) * | 2007-11-06 | 2009-05-07 | Varonis Systems Inc. | Visualization of access permission status |
Also Published As
Publication number | Publication date |
---|---|
US20100058434A1 (en) | 2010-03-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9213849B2 (en) | Hierarchical access control administration preview | |
US8887271B2 (en) | Method and system for managing object level security using an object definition hierarchy | |
US8296820B2 (en) | Applying security policies to multiple systems and controlling policy propagation | |
US6535879B1 (en) | Access control via properties system | |
KR101432317B1 (en) | Translating role-based access control policy to resource authorization policy | |
US8332359B2 (en) | Extended system for accessing electronic documents with revision history in non-compatible repositories | |
CA2746587C (en) | System and method for performing access control | |
US8095629B2 (en) | Managing user accounts and groups in multiple forests | |
EP2366164A1 (en) | Method and system for impersonating a user | |
US7370344B2 (en) | Computer-implemented data access security system and method | |
JP2003536176A (en) | Evidence-based security policy manager | |
US20080022201A1 (en) | Personalized fine granularity access control for calendar systems | |
US7107538B1 (en) | Enforcing security on an attribute of an object | |
US8341733B2 (en) | Creating secured file views in a software partition | |
US8887241B2 (en) | Virtual roles | |
US9292703B2 (en) | Electronic document management method | |
US11720607B2 (en) | System for lightweight objects | |
US8037525B2 (en) | Access control and entitlement determination for hierarchically organized content | |
WO2009113483A1 (en) | Access control system, access control method, and recording medium | |
US20090183239A1 (en) | Embedded management system for a physical device having virtual elements | |
US20120210419A1 (en) | Security management for an integrated console for applications associated with multiple user registries | |
CN107172102A (en) | Data access method, system and storage medium | |
US9092254B2 (en) | Enabling multi-tenancy for integrated development environment software in virtual environments | |
US11405381B2 (en) | Tag-based access permissions for cloud computing resources | |
US7124132B1 (en) | Domain specification system for an LDAP ACI entry |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION,NEW YO Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHUSING, TREVETT B.;STEPHENSON, JOHN W.;ZHANG, LEI;REEL/FRAME:021458/0947 Effective date: 20080828 Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CHUSING, TREVETT B.;STEPHENSON, JOHN W.;ZHANG, LEI;REEL/FRAME:021458/0947 Effective date: 20080828 |
|
ZAAA | Notice of allowance and fees due |
Free format text: ORIGINAL CODE: NOA |
|
ZAAB | Notice of allowance mailed |
Free format text: ORIGINAL CODE: MN/=. |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20231215 |